Methods and systems for detecting compromised sensors using dynamic watermarking

ABSTRACT

Systems and methods for detecting compromised sensors using dynamic watermarking. In some examples, a method includes injecting a dynamic random signal into an input of a power distribution system. The power distribution system includes at least one sensor and at least one power electronic controller configured to use the at least one sensor. The method includes monitoring a sensor signal from the at least one sensor. The method includes determining whether the at least one sensor is compromised based on a comparison between the dynamic random signal and the sensor signal.

PRIORITY CLAIM

This application claims the benefit of U.S. Provisional PatentApplication Ser. No. 63/352,131, filed Jun. 14, 2022, the disclosure ofwhich is incorporated herein by reference in its entirety.

GRANT STATEMENT

This invention was made with government support under Grant No.DE-EE0009031 awarded by the Department of Energy. The government hascertain rights in the invention.

BACKGROUND

Grid-tied photovoltaic (PV) are increasingly being used in distributionpower systems due to the high contribution of such systems in powergeneration to the utility grid. These inverters are rapidly increasingdue to the rise of distributed generation (DG) based on renewable energytechnologies. As a result of the increase in such typologies, the numberof power electronics devices in the electrical grid increase,consequently increasing the sensors in the electrical grid. Since eachsensor is considered a vulnerable point for cyber-attacks, it is crucialto facilitate the PV inverters with a cyber-attack detector to defendthe inverters against possible cyber-attacks.

SUMMARY

This document describes systems and methods for detecting compromisedsensors using dynamic watermarking. In some examples, a method includesinjecting a dynamic random signal into an input of a power distributionsystem. The power distribution system includes at least one sensor andat least one power electronic controller configured to use the at leastone sensor. The method includes monitoring a sensor signal from the atleast one sensor. The method includes determining whether the at leastone sensor is compromised based on a comparison between the dynamicrandom signal and the sensor signal.

The computer systems described herein can be implemented in software incombination with hardware and/or firmware. For example, the subjectmatter described herein can be implemented in software executed by aprocessor. In one example implementation, the subject matter describedherein may be implemented using at least one computer readable mediumhaving stored thereon computer executable instructions that whenexecuted by the processor of a computer cause the computer to performsteps or operations. Exemplary computer readable media suitable forimplementing the subject matter described herein include non-transitorydevices, such as disk memory devices, chip memory devices, programmablelogic devices, and application specific integrated circuits. Inaddition, a computer readable medium that implements the subject matterdescribed herein may be located on a single device or computing platformor may be distributed across multiple devices or computing platforms.

BRIEF DESCRIPTION OF THE DRAWINGS

FIGS. 1A-1B show examples of grid-tied photovoltaic systems.

FIG. 1C is a block diagram of an example system for monitoring at leastone sensor in a power distribution system.

FIG. 2 is a block diagram illustrating an example active detectionscheme for cyber-attacks on sensors controlling a grid-tied photovoltaicsystem.

FIG. 3 is a block diagram illustrating a PV system tied to the grid andthe dynamic watermarking (DW) signal injection point.

FIGS. 4A-4B demonstrate the grid connected inverter through an inductor.

FIG. 5 shows the experimental setup of the grid tied inverter systems.

FIG. 6 shows the laboratory test results of the harmonics injectionattack.

FIG. 7 shows a replay attack conducted on the Grid tied inverterprototype.

FIG. 8 is a block diagram of a security system for an unmanned aerialvehicle flight control system.

FIG. 9 is a block diagram of an example grid tied PVT system showingpossible sensor spoofing (maniuplation) by an external attacker.

FIG. 10 is a block diagram of an example industrial control system (ICS)with an exmaple defense mechanism to protect programmable logic circuit(PLC)-based infrastructure.

DETAILED DESCRIPTION

This document describes the development of a “Cybershield,” a robustcyber intrusion detection scheme employing dynamic watermarkingprinciple. Applications of the “Cybershield” for a grid connectedphotovoltaic system is first explained. The team has pioneered an activetechnique in order to detect cyber-attacks on appropriate more generalelectrical systems described below. Compared with existing passivedetection approaches the dynamic watermarking approach injects a secretsignal into the system and can thereby detect a wide class ofcyber-attacks with rigorous theoretical guarantee. The basic idea of theapproach is as follows: instead of using actual decisions made by thecontroller, a small, stochastic signal, i.e., the watermark signal, issuper-imposed upon the decision from the controller. Such a watermarksignal has a certain statistical signature which can be propagated intothe measurements. By checking for the existence of the statisticalsignature appropriately transformed, any potential attacks in a broadclass, such as replay attacks and noise injection attacks can bedetected. The signature in the measurements can be checked by twodedicated statistical tests.

The watermarking system can be used in any appropriate electrical systemto identify compromised sensors, i.e., sensors compromised maliciouslyor by otherwise failing or degrading. The watermarking system can beused, e.g., on a grid connected photovoltaic system. A private (secret)watermarking signal is superimposed on the control input (modulationsignal) of the grid-tied inverter system. This private signal(watermark) propagates through the system and appears in the sensordata. Two statistical tests are used to identify malicious activity onthe reported sensors measurements through comparing the actual system'sreturned sensor signal with one expected based on the system modelobtained through system ID algorithms. In the first variance test thereal time measurements is compared against the system model whichcontains the watermark. The second variance test is similar to the firsttest except that the system ID model doesn't include the watermarkingsignal. The two tests together can be used to detect more complexattacks.

In some examples, the watermarking system can be used in systems eventhough the control inputs are not accessible, e.g., in a commerciallyavailable inverter. For example, the watermark can be injected at the DCinput terminals where the PV power source is connected, e.g., by adedicated device located between the PV power source and the inverter.The “Cybershield” employs the injected watermark along with sensor datato compute two statistical tests to successfully detect cyber intrusionsin the system.

The dynamic watermarking approach applied for PV system can also beapplied to protect and secure thousands of sensor measurement signalswidely employed in our nation's critical energy infrastructure (CEI) aswell. In a typical CEI and/or a large process facility that handlescrude oil/petrochemical plant there are several thousands of processsensors. The data collected from the sensors control complex industrialprocesses such as in coal/nuclear/natural gas power stations,petrochemical plants, solar/wind energy systems, etc. Potentialcyber-attack/intrusion systems can manipulate/corrupt the data and canpotentially destabilize systems that are essential and form the backboneour nations CEI. In order to detect cyber intrusions, manipulations ofsensor data by external actors, a private random signal (watermark) isinjected into the voltage of the electric distribution system. Thedetection approach in the “Cybershield” includes monitoring varioussensor data and performing two statistical tests.

The watermarking signal can be injected in the DC input terminals of agrid connected PV systems and or in a central location in the powerdistribution system such an input three phase AC power distribution. Thewatermark signal is expected to propagate throughout the electricalequipment such as transformers, power electronic converters/invertersthat control the grid connected systems and critical process controls inan industrial plant. A “Cybershield” device can monitor data collectedfrom many sensors to perform two computational tests to determine if anyof the sensors have been compromised due to cyber intrusions or otherfailures.

FIGS. 1A-1B show examples of grid-tied photovoltaic (PV) systems. FIG.1A shows a residential PV system coupled to a meter, an inverter, and autility grid. FIG. 1B shows a commerical PV production system.

FIG. 1C is a block diagram of an example system 100 for monitoring atleast one sensor 102 in a power distribution system 104. The system 100includes a watermarking device 106 that includes an input 108 forreceiving an electrical signal 110. The watermarking device 106 includesa watermark injector circuit 112 configured for injecting a dynamicrandom signal into the electrical signal 110. In some examples, thedynamic random signal has a Gaussian distribution with zero mean and anamplitude range sufficiently small such that the dynamic random signalpropagates though the power distribution system 104 without disturbingthe performance of one or more power conversion stages.

The watermarking device 106 includes an output 114 for outputting theelectrical signal 116 with the dynamicl random signal superimposed onthe electrical signal to the power distribution system 104. The powerdistribution system 104 includes at least one power electroniccontroller 118 configured to use the sensor 102.

The system 100 includes a monitoring system 120 that includes at leastone processor 122 and memory 124 storing instructions for the processor122. The monitoring system 120 includes a monitor 126 configured formonitoring at least one sensor signal 128 from the sensor 102. Themonitor 126 is configured for determining whether the sensor 122 iscompromised based on a comparison between the dynamic random signal andsensor signal 128.

Determining whether the at least one sensor is compromised can includeperforming two or more variance tests. Performing two or more variancetests can include using moving average sampling. Determining whether thesensor 102 is compromised can include determining that a sequence ofmeasurements from the sensor signal 128 fails at least one variance testby an error amount exceeding a threshold error. Determining whether thesensor 102 is compromised can include detecting if the sensor 102 ismalfunctioning and/or the sensor 102 is processing an incorrect signal.

In some examples, the power distribution system 104 is a grid-tiedphotovoltaic system and the power electronic controller 118 comprises adirect current/alternating current (DC-AC) inverter. In som examples,injecting the dynamic random signal inlcudes injecting the dynamicrandom signal into an input of the power conversion system 104 byinjecting the dynamic random signal into a direct current (DC) input ofthe inverter. The input can be, e.g., an electrical node between aphotovoltaic power source and the inverter. Injecting the dynamic randomsignal into the input can include injecting the dynamic random signalinto a control input of a power conversion device.

FIG. 2 is a block diagram illustrating an example active detectionsystem 200 for cyber-attacks on sensors controlling a grid-tiedphotovoltaic system. The system 200 includes an inverter system 202couped to a PV array 204. The system 200 includes a watermarking device106 that injects a dynamic watermark into an input 206 of the invertersystem 202. The input 206 receives a control signal from the invertercontrol system that has the dynamic watermark superimposed on thecontrol signal.

FIG. 3 is a block diagram illustrating a PV system tied to the grid andthe dynamic watermarking (DW) signal injection point. The watermarkingsignal is injected over the control input which is generated from acontroller, then the DW signal travels through the whole systemincluding the sensors which sends feedback to the current and vltagecontrollers to govern the power flow from the PV array to the utilitygrid.

The DW algorithm includes superimposing a small signal, e[k], smallerthan the system's noise, that is truly random and has Gaussiandistribution with zero mean on the control input of a converter. Theactuator can check if e[k] is properly detected in the system sensor'smeasurement readings. Two statistical test are developed to validate thesensor's measurements through comparing the actual readings with thesystem model developed through the transfer functions. If the readingsdo not agree, the two tests will show a jump in variance indicating apossible attack on the sensor,

For the PV system shown in FIGS. 2 and 3 , the fundamentals of the DWalgorithm revolves around injecting a private signal, that is trulyrandom and unknown to remote observers of the system, onto the controlsignals of converters, in our case the modulation index, m, of aninverter that controls the inverter stage of the grid-tied invertersystem. This small random signal is called “watermarking signal” becauseit is “indelible” like a watermark on a sheet of paper; it cannot beremoved from the sensor measurement.

The essence of the DW algorithm is to inject a random private signale[k] buried in the inherent noise of the system and travels through allthe sensors. This truly random signal with a unique seed only know tothe developer is added to the control signal of the system. The“watermarking” name comes from the fact that the signal is alwayspresent in the system's signals.

DC-AC Inverter Analysis

In this section a simplified mathematical model of a DC-AC invertersystem is developed between the inverter output current and the controlsignal. FIGS. 4A-4B demonstrate the grid connected inverter through aninductor Ls. The short circuit impedance and the line resistance isrepresented. FIG. 4A shows the grid tied inverter and FIG. 4B shows thesmall signal circuit equivalent.

Equation (2) represents the transfer function of the system.

$\begin{matrix}{\frac{i_{grid}(s)}{\Delta{m_{a}(s)}} = \frac{\frac{V_{dc}}{\sqrt{2}}}{\left( {L_{s} + L_{g}} \right)\left( {s + \frac{R}{L_{s} + L_{g}}} \right)}} & (1)\end{matrix}$

To simplify equation (1) we define,

$\beta_{1} = {{\frac{V_{dc}}{\sqrt{2}\left( {L_{s} + L_{g}} \right)}\beta_{2}} = \frac{R}{L_{s} + L_{g}}}$

Equation (1) can now be rewritten as,

$\begin{matrix}{\frac{i_{g}(s)}{m_{a}(s)} = \frac{\beta_{1}}{s + \beta_{2}}} & (2)\end{matrix}$

Equation (3) represents the continuous differential equation whichcorresponds to equation (1).

^(i·) _(g)(t)=−β₂ i _(g)(t)+β₁ m _(a)(t)  (3)

To convert this equation to a discrete system, we use Tusten method,with the knowledge of the sample time Δt

i _(g) [k+1]=β₂ ′i _(g) [k]+β ₁ ′m _(a) [k]  (4)

where β₁′ and β₂′ are obtained by the Tustin method based on originalsystem parameters.

The DW signal e[k] is superimposed on the control signals of the plant,and the addition of the DW signal to the control signal, i.e.,modulation signal ma[k], we denote the new modulation index signal bym_(a(WM))[k] as shown in (5)

m _(a(WM)) [k]=m _(a) [k]+e[k]  (5)

Now substituting (5) in (4) we acquire ^(i)g(WM)[k+1] which includes theDW as,

i _(g)(WM)[k+1]=β₂ i _(g) [k]+β ₁ m _(a)(WM)[k]  (6)

Simplifying (6) we obtain,

i _(g(WM)) [k+1]=β₂ i _(g) [k]+β1(m _(a) [k]+e[k])  (7)

Assume the actual grid current of the DC-AC inverter obtained from asmart meter or a sensor is z[k] and a system model is developed togenerate a replicated signals, ig[k], that are always healthy. For asystem operating in normal conditions, the current sensor signal isz[k]≡i_(g)[k]. Should the grid current sensor be compromisedz[k]≢i_(g)[k]. Two statistical tests are designed to validate the sensedsignals and alert in cases of an attack.

Variance Test 1 for the Grid-tied Inverter:

Considering equation (7), ^(i) _(g(WM))[k+1] represents the system modeloutput, in this case the grid current, including DW signal. z[k+1]represents the actual sensor measurement of the plant. Variance test 1is given by,

$\begin{matrix}{{\lim\limits_{K\rightarrow\infty}{\frac{1}{K}{\sum\limits_{k = 0}^{K - 1}\left( {{z\left\lbrack {k + 1} \right\rbrack} - {i_{g({WM})}\left\lbrack {k + 1} \right\rbrack}} \right)^{2}}}} = \sigma_{\omega}^{2}} & (8)\end{matrix}$

This method uses moving average sampling and equation (8) is calculatedcontinuously for a set number of samples predefined by the algorithm. Inthe instances where the actual system's signals and the model'smeasurements are the same, variance test 1 will only show the system'snoise, σ_(ω) ², and the algorithm concludes that the plant is healthyi.e. no attack is occurring. If the measured signals of the model andthe plant do not match, z[k+1] and ig(WM)[k+1] are not equal then thevariance test will show a jump indicating the possibility of a cyberattack targeting the plant's sensor is taking place.

Variance Test 2 for the Grid-tied Inverter:

Variance Test 2 is essentially the difference between the actual gridcurrent measurement, z[k+1] and i_(g)[k+1] obtained from the model andis given by,

$\begin{matrix}{{\lim\limits_{K\rightarrow\infty}{\frac{1}{K}{\sum\limits_{k = 0}^{K - 1}\left( {{z\left\lbrack {k + 1} \right\rbrack} - {i_{g}\left\lbrack {k + 1} \right\rbrack}} \right)^{2}}}} = {\sigma_{\omega}^{2} + {\left( \beta_{1} \right)^{2}\sigma_{e}^{2}}}} & (9)\end{matrix}$

The actual current measurement from the plant in equation z₁[k+1] (9) isand the i_(g)[k+1] is the output current calculated from the systemmodel shown in equation (4) which does not include the DW signal.Similar to test 1, if the actual system's signals and the model'smeasurements are the same, the output of equation (9) will show thesystem's nose, σ_(ω) ², and DW signal variance ^(σ)e2. Otherwise, if thetest will show a jump indicating the possibility of an attack occurringon the system. If an attacker disconnects the actual signal fed to thecontroller by his signal obtained from a simulated model, the attacker'ssignal won't include the DW signal. Since the testing algorithm looksfor the traces of the DW signal in the measurements, it will signal foran attack.

Example Test Results

Several cyber attack scenarios were tested on a laboratory prototypegrid-tied inverter system (Table 1 shows the specifications).

TABLE I Grid-tied PV system design parameters Parameter Magnitude RatedPower 5 kW 0.5 pu DC link voltage 200 v Switching frequency 15 kHz Gridvoltage 120 v rms Grid impedance L_(grid), R_(grid)

FIG. 5 shows the experimental setup of the grid tied inverter systems.Two attack scenarios are detailed a) Harmonic injection attack and b)Replay attack.

Harmonic Injection Attack

FIG. 6 shows the laboratory test results of the harmonics injectionattack. It can be seen that after the attack starts, 3rd and 5thharmonics were injected into the current sensor.

The variance tests 1 and 2 shows a jump indicating malicious activity(attack) on the current sensor. The attack is detected almostinstantaneously, less than a cycle (16 ms). It can also be seen that theattack resulted in distorting the current fed to the grid (FIG. 6 ). Inthe event the injected harmonics were larger in magnitude the grid-tiedinverter system could have tripped and/or caused voltage distortion atthe point of common coupling.

Replay Attack

In this attack a healthy signal is recorded at a previous time duringthe normal operation of the system. This signal is then replayed insteadof the current sensor signal to show that the system is performingnormally regardless of what happens in real time. This type of attackhas been recorded before in the well known incident “Stuxnet”. Thedigital watermarking signal is able to detect such a complex attack dueto the randomness of the signal. The watermarking signal propagatesthrough the whole system continuously.

Since the attacker will show a replayed signal recorded in the past orobtained from an accurate simulation model, the watermarking signal thatis present in the recorded signal will be different than the signalpresent in the system model which we are comparing against in variancetests 1 and 2. This difference in watermarking signal signature isdetected by the algorithm as an anomaly in the system and as a resultthe attack can be identified. FIG. 7 shows a replay attack conducted onthe Grid tied inverter prototype. In this attack a healthy signal wasrecorded and replayed. The algorithm detects the attack as the variancesjump signaling an attack on the sensor.

FIG. 8 is a block diagram of a security system for an unmanned aerialvehicle flight control system. To provide a concrete setting, weconsider the security problem in the context of a helicopter which iscompromised by a malicious agent that distorts elevation measurements tothe control loop. This is a particular example of the problem of thesecurity of stochastic control systems under erroneous observationmeasurements caused by malicious sensors within the system.

In order to secure the control system, we consider dynamic watermarking,where a private random excitation signal is superimposed onto thecontrol input of the flight control system. An attack detector at theactuator can then check if the reported sensor measurements areappropriately correlated with the private random excitation signal. Thisis done via two specific statistical tests whose violation signifies anattack.

FIG. 9 is a block diagram of an example grid tied PVT system showingpossible sensor spoofing (maniuplation) by an external attacker. FIG. 9shows shows a detailed schematic along with sensor measurements requiredfor the control of the DC-DC and DC-AC conversion stages in the system.The DC output from the PV panels are interfaced to a DC-DC boostconverter that is controlled in closed loop to regulate the output (DC)voltage and simultaneously enable maximum power point tracking (MPPT).The DC-DC boost stage is followed by a pulse width modulated (PWM) DC-ACinverter, output filter and is connected to the utility grid. The outputof the MPPT stage forms the available power input command to the DC-ACinverter stage. The current and voltage sensors regulate the power flowfrom the PV to utility grid.

The example DWS system operates by injecting (superimposing) a private(secret) random excitation signal e[k] that has a Gaussian distributionon the signal that controls the switch duty cycle “d” of the DC-DCconverter stage and the modulation index “m_(a)” on the DC-AC inverterstage that controls the switch on/off states. The magnitude of therandom excitation signal e[k] is small and does not affect theperformance of the system. However, the watermark signal e[k] propagatesthrough the power conversion stages and manifests in the voltage/currentsignals that are sensed. Should any of the sensors that control thepower conversion stages be compromised (spoofed and/or altered by theattacker), a series of statistical tests are used to check whether eachof reported sensor measurement readings are compatible with the injected(superimposed) watermark to determine any malicious tampering.

FIG. 10 is a block diagram of an example industrial control system (ICS)with an exmaple defense mechanism to protect programmable logic circuit(PLC)-based infrastructure. The defense mechanism can include theaddition of a unique digital watermark to the pulse-width modulation(PWM) control that adjusts the motor speed to control the criticalprocess. This enables efficient detection and identification of anyunauthorized modifications to the sensor signals responsible forcontrolling the plant.

As shown in th example of FIG. 10 , the PLC is tasked/programmed withclosed loop control functions (such as PI/PID) to adjust the variablefrequency drive (VFD) speed to adjust the flow rate to control the watertank level. A pressure sensor in the water tank-1 translates the waterlevel via a sensor signal that is then fed back to the PLC.

During normal operation, the closed loop system functions appropriatelyby adjusting the VFD motor/pump to regulate the water tank level-1. Thedefense mechanism operates by adding a unique small magnitude digitalwatermarking signal (a random variable with a gaussian distribution andzero mean average) to the control signal to adjust the VFD speed. Thewatermark signal then propagates through the VFD/Motor/Pump and itssignature is reflected on the water tank level sensed by the pressuresensor. Two variance tests are then conducted continuously to realize adefensive mechanism by observing the signals' presence and validate itssignature by comparing it to the system model. A high value in thevariance computed in Test-1 and Test-2 is shown to indicate the presenceof false date in the water tank level information (i.e., the pressuresensor data has been manipulated).

It will be understood that various details of the presently disclosedsubject matter can be changed without departing from the scope of thepresently disclosed subject matter. Furthermore, the foregoingdescription is for the purpose of illustration only, and not for thepurpose of limitation.

The control systems and computer systems described herein may beimplemented in hardware, software, firmware, or any combination thereof.In some exemplary implementations, the subject matter described hereinmay be implemented using a computer readable medium having storedthereon computer executable instructions that when executed by theprocessor of a computer control the computer to perform steps.

Exemplary computer readable media suitable for implementing the subjectmatter described herein include non-transitory computer readable media,such as disk memory devices, chip memory devices, programmable logicdevices, and application specific integrated circuits. In addition, acomputer readable medium that implements the subject matter describedherein may be located on a single device or computing platform or may bedistributed across multiple devices or computing platforms.

What is claimed is:
 1. A method comprising: injecting a dynamic randomsignal into an input of a power distribution system, the powerdistribution system comprising at least one sensor and at least onepower electronic controller configured to use the at least one sensor;monitoring a sensor signal from the at least one sensor; and determiningwhether the at least one sensor is compromised based on a comparisonbetween the dynamic random signal and the sensor signal.
 2. The methodof claim 1 wherein the power distribution system is a grid-tiedphotovoltaic system and the at least one power electronic controllercomprises a direct current/alternating current (DC-AC) inverter.
 3. Themethod of claim 2 wherein injecting the dynamic random signal into theinput comprises injecting the dynamic random signal into a directcurrent (DC) input of the inverter.
 4. The method of claim 2 wherein theinput is an electrical node between a photovoltaic power source and theinverter.
 5. The method of claim 1 wherein injecting the dynamic randomsignal into the input comprises injecting the dynamic random signal intoa control input of a power conversion device.
 6. The method of claim 1wherein the dynamic random signal has a Gaussian distribution with zeromean and an amplitude range sufficiently small such that the dynamicrandom signal propagates though the power distribution system withoutdisturbing the performance of one or more power conversion stages. 7.The method of claim 1 wherein determining whether the at least onesensor is compromised comprises performing two or more variance tests.8. The method of claim 6 wherein performing two or more variance testscomprises using moving average sampling.
 9. The method of claim 1wherein determining whether the at least one sensor is compromisedcomprises determining that a sequence of measurements from the sensorsignal fails at least one variance test by an error amount exceeding athreshold error.
 10. The method of claim 1 wherein determining whetherthe at least one sensor is compromised comprises detecting if the atleast one sensor is malfunctioning and/or the at least one sensor isprocessing an incorrect signal.
 11. A system comprising: a watermarkingdevice comprising: an input for receiving an electrical signal; awatermark injector circuit configured for injecting a dynamic randomsignal into the electrical signal; and an output for outputting theelectrical signal with the dynamic random signal superimposed on theelectrical signal to a power distribution system, the power distributionsystem comprising at least one sensor and at least one power electroniccontroller configured to use the at least one sensor; and a monitoringsystem, implemented on at least one processor, configured for monitoringa sensor signal from the at least one sensor and determining whether theat least one sensor is compromised based on a comparison between thedynamic random signal and the sensor signal.
 12. The system of claim 11,wherein the power distribution system is a grid-tied photovoltaic systemand the at least one power electronic controller comprises a directcurrent/alternating current (DC-AC) inverter.
 13. The system of claim12, wherein injecting the dynamic random signal into the input comprisesinjecting the dynamic random signal into a direct current (DC) input ofthe inverter.
 14. The system of claim 12, wherein the input is anelectrical node between a photovoltaic power source and the inverter.15. The system of claim 11, wherein injecting the dynamic random signalinto an input comprises injecting the dynamic random signal into acontrol input of a power conversion device.
 16. The system of claim 11,wherein the dynamic random signal has a Gaussian distribution with zeromean and an amplitude range sufficiently small such that the dynamicrandom signal propagates though the power distribution system withoutdisturbing the performance of one or more power conversion stages. 17.The system of claim 11, wherein determining whether the at least onesensor is compromised comprises performing two or more variance tests.18. The system of claim 16, wherein performing two or more variancetests comprises using moving average sampling.
 19. The system of claim11, wherein determining whether the at least one sensor is compromisedcomprises determining that a sequence of measurements from the sensorsignal fails at least one variance test by an error amount exceeding athreshold error.
 20. The system of claim 11, wherein determining whetherthe at least one sensor is compromised comprises detecting if the atleast one sensor is malfunctioning and/or the at least one sensor isprocessing an incorrect signal.